Buhtrap Analysis

💳 Purchase Required

You need to purchase an additional CTI license to see detailed indicators.

IOB - Indicator of Behavior (129)

Timeline

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Lang

en98
de14
ru14
es2
zh2

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Country

ru118
us8
ag2
ga2

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Actors

Buhtrap4
Gamaredon2
Shuckworm1
Redaman1
AsyncRAT1

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Activities

Interest

Timeline

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Type

Not Defined42
E-Commerce Management Software8
Operating System8
Virtualization Software6
Content Management System6

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Vendor

Not Defined44
Microsoft14
Linux Foundation4
Apple4
HP4

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Product

Microsoft Windows6
Calibre-Web4
Linux Foundation Xen4
DEXIS Imaging Suite2
ASN1C2

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Vulnerabilities

#VulnerabilityBaseTemp0dayTodayExpRemCTIEPSSCVE
1Siemens SIMATIC HMI United Comfort Panel authentication bypass7.57.5$5k-$25k$5k-$25kNot DefinedNot Defined0.000.00874CVE-2020-15787
2Microsoft Windows Advanced Local Procedure Call Privilege Escalation9.28.7$25k-$100k$5k-$25kFunctionalOfficial Fix0.030.00651CVE-2023-21674
3Microsoft Windows Kernel Privilege Escalation7.26.5$25k-$100k$5k-$25kUnprovenOfficial Fix0.050.00053CVE-2022-21881
4Microsoft Windows SMB Witness Service privileges management8.88.1$25k-$100k$5k-$25kUnprovenOfficial Fix0.000.00120CVE-2023-21549
5Microsoft SQL Server Privilege Escalation8.17.4$25k-$100k$5k-$25kUnprovenOfficial Fix0.040.00043CVE-2022-23276
6Select2 cross site scripting5.25.2$0-$5k$0-$5kNot DefinedOfficial Fix0.040.00094CVE-2016-10744
7HP 3PAR Service Processor SP information disclosure4.34.3$5k-$25k$0-$5kNot DefinedNot Defined0.020.00110CVE-2015-5443
8Oracle Java SE/Java SE Embedded Deployment memory corruption10.09.5$25k-$100k$0-$5kNot DefinedOfficial Fix0.020.01195CVE-2013-5788
9WooCommerce PayU India Payment Gateway Plugin Purchase Price input validation6.36.3$0-$5k$0-$5kNot DefinedNot Defined0.000.00114CVE-2019-14978
10WooCommerce Instamojo Payment Gateway Plugin Purchase amount Price input validation7.37.3$0-$5k$0-$5kNot DefinedNot Defined0.000.00241CVE-2019-14977
11Microsoft IIS cross site scripting5.24.7$5k-$25k$0-$5kProof-of-ConceptOfficial Fix0.020.00548CVE-2017-0055
12Apache HTTP Server smbvalid/smbval authensmb memory corruption10.09.5$25k-$100kCalculatingNot DefinedOfficial Fix0.020.00133CVE-1999-1237
13Netgate pfSense XML File config.xml restore_rrddata command injection5.55.3$0-$5k$0-$5kNot DefinedOfficial Fix0.010.45928CVE-2023-27253
14Joomla Webservice Endpoint access control5.45.4$5k-$25k$5k-$25kNot DefinedNot Defined0.030.95214CVE-2023-23752
15Lars Ellingsen Guestserver guestbook.cgi cross site scripting4.34.3$0-$5k$0-$5kNot DefinedNot Defined0.030.00169CVE-2005-4222
16MGB OpenSource Guestbook email.php sql injection7.37.3$0-$5k$0-$5kHighUnavailable0.500.01302CVE-2007-0354
17Cloudflare WARP Client warp-cli Subcommand access control7.77.5$0-$5k$0-$5kNot DefinedOfficial Fix0.000.00044CVE-2022-2225
18Siemens SIMATIC PCS 7/SIMATIC S7-PM/SIMATIC STEP 7 V5 code injection9.29.0$5k-$25k$0-$5kNot DefinedOfficial Fix0.030.00084CVE-2023-25910
19Next.js next.config.js clickjacking5.15.0$0-$5k$0-$5kNot DefinedOfficial Fix0.030.00118CVE-2022-23646
20Linux Kernel memory corruption5.95.9$5k-$25k$0-$5kNot DefinedOfficial Fix0.000.00042CVE-2011-1477

IOC - Indicator of Compromise (11)

These indicators of compromise highlight associated network ressources which are known to be part of research and attack activities.

IDIP addressHostnameActorCampaignsIdentifiedTypeConfidence
15.63.159.325-63-159-32.cloudvps.regruhosting.ruBuhtrap12/23/2020verifiedHigh
237.140.195.165console.teonet.cloudBuhtrap12/23/2020verifiedHigh
337.143.12.190hosted-by.ihc.ruBuhtrap12/23/2020verifiedHigh
4XX.XXX.XXX.XXXxxxxxx03/25/2019verifiedHigh
5XXX.XXX.XXX.XXXxxxx.xxxxxxxxx.xxxxxXxxxxxx12/23/2020verifiedHigh
6XXX.XX.XX.XXxxx-xx-xx-xx.xxx.xxx.xxxxxxxxxxxx.xxXxxxxxx12/23/2020verifiedHigh
7XXX.XXX.XX.XXXxxxxxx.xxx.xxxxxxxxx.xxXxxxxxx12/23/2020verifiedHigh
8XXX.XX.XX.XXXxxxxxxxxx.xxXxxxxxx12/23/2020verifiedHigh
9XXX.XX.XXX.XXXxxx-xx-xxx-xxx.xxx.xxx.xxxxxxxxxxxx.xxXxxxxxx12/23/2020verifiedHigh
10XXX.XXX.XXX.XXXXxxxxxx12/23/2020verifiedHigh
11XXX.XXX.XXX.XXXxxx-xxx-xxx-xxx.xxxxxxx.xxxXxxxxxx03/25/2019verifiedHigh

TTP - Tactics, Techniques, Procedures (17)

Tactics, techniques, and procedures summarize the suspected MITRE ATT&CK techniques used. This data is unique as it uses our predictive model for actor profiling.

IDTechniqueVulnerabilitiesAccess VectorTypeConfidence
1T1006CWE-22Path TraversalpredictiveHigh
2T1055CWE-74Improper Neutralization of Data within XPath ExpressionspredictiveHigh
3T1059CWE-94Argument InjectionpredictiveHigh
4T1059.007CWE-79, CWE-80Cross Site ScriptingpredictiveHigh
5TXXXXCWE-XXX, CWE-XXX, CWE-XXXXxxxxxxxx Xxxx Xxxxxxxxxxx XxxxxxxxxxpredictiveHigh
6TXXXXCWE-XXXXxxx Xxx Xxxxxxxxx Xxxxxxxxxxx XxxxxxxxpredictiveHigh
7TXXXX.XXXCWE-XXXXxxx-xxxxx XxxxxxxxxxxpredictiveHigh
8TXXXXCWE-XX, CWE-XXXxxxxxx Xxxxx Xx Xxxxxxxxxx Xxxxxxxxxx XxxxxxxxxpredictiveHigh
9TXXXX.XXXCWE-XXXXxxx XxxxxxxxpredictiveHigh
10TXXXXCWE-XXX7xx Xxxxxxxx XxxxxxxxpredictiveHigh
11TXXXXCWE-XXXxx XxxxxxxxxpredictiveHigh
12TXXXXCWE-XXXXxx Xx Xxxxxxxxxx Xxxxxxx Xxxxxxxxxx Xxxxxxxxx XxxxxxxxxxxpredictiveHigh
13TXXXXCWE-XXXXxxxxxxxxxx XxxxxxxxxxpredictiveHigh
14TXXXX.XXXCWE-XXXXxxxxxxxxxxxpredictiveHigh
15TXXXX.XXXCWE-XXXXxxxxxxx Xxxxxxxxxxx XxxxxxxxxxpredictiveHigh
16TXXXXCWE-XXXXxxxxxxxxx Xx Xxxxxxx Xxxxx Xxxxxxx Xxxxxxxxx XxxxxxxxxxxpredictiveHigh
17TXXXXCWE-XXXXxxxxxxxxxxxx XxxxxxpredictiveHigh

IOA - Indicator of Attack (80)

These indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration. This data is unique as it uses our predictive model for actor profiling.

IDClassIndicatorTypeConfidence
1File/objects/getImageMP4.phppredictiveHigh
2File/payu/icpcheckout/predictiveHigh
3File/uncpath/predictiveMedium
4Fileadclick.phppredictiveMedium
5Fileadmin.phppredictiveMedium
6Fileadrotate.pmpredictiveMedium
7Filearticle.phppredictiveMedium
8Fileasn1fix_retrieve.cpredictiveHigh
9Filebigsam_guestbook.phppredictiveHigh
10Filexxxxx.xxxpredictiveMedium
11Filexxxx/xxx/.../xxxxxxpredictiveHigh
12Filexxxxxxxx.xxxpredictiveMedium
13Filexxxxx.xxxpredictiveMedium
14Filexxxxxx.xxxpredictiveMedium
15Filexxxxxxx.xxxxpredictiveMedium
16Filexxxxxx.xxxpredictiveMedium
17Filexx/xx_xxxxxxx.xxxpredictiveHigh
18Filexxxxxxxx.xxxpredictiveMedium
19Filexxxxxxx/xxxx/xxxxxx/xxxxxxx.xpredictiveHigh
20Filexxxxx.xxxpredictiveMedium
21Filexxxxxxxxx/xxxxx/xxxxxxxxxxxx/xxxxxxxxx.xxxpredictiveHigh
22Filexxxxxxx.xxxpredictiveMedium
23Filexxxxxxxxx.xxxpredictiveHigh
24Filexxx/xxxxxx.xxxpredictiveHigh
25Filexxxxx.xxx/xxxxxx.xxx/xxxxxxxxxxxxx.xxx/xxxxxxxx.xxxpredictiveHigh
26Filexxxxxxx/xxxxxxxxxxxxx.xxxxpredictiveHigh
27Filexxxx_xxxx.xxxpredictiveHigh
28Filexxxxxxxx.xxxpredictiveMedium
29Filexxx/xxxx/xxxx_xxxx.xpredictiveHigh
30Filexxxx.xxxxxx.xxpredictiveHigh
31Filexxx/xxxxx.xxxxpredictiveHigh
32Filexxxxxxx.xxxpredictiveMedium
33Filexxxx.xxxpredictiveMedium
34Filexxxxxxx.xxxpredictiveMedium
35Filexxxx-xx.xxx/xxx.xxxxx/xxx-xxxxxxxx-xxxx.xxxpredictiveHigh
36Filexxxx_xxxxxxx_xxxxxxxx.xxxpredictiveHigh
37Filexxx/xxxx/xxxx/xxx.xxxxxxxx.xxxxxxx/xxxxxxx/xxx/xxxxxx.xxxxpredictiveHigh
38Filexxxxxxx-xxxxxxx.xxxpredictiveHigh
39Filexx/xx/xxxxxxxxx_xxxxxxxxxxx.xxxpredictiveHigh
40Filexxxx.xxxpredictiveMedium
41Filexxxx/xxxxxxxxxxxx.xxxpredictiveHigh
42Filexxxxxxxxxxxx.xxxpredictiveHigh
43Filexxx.xxxxxxxx.xxxpredictiveHigh
44Filexxxxxxxx.xxxpredictiveMedium
45File_xxxxxxxxx_xxxxxx_xxxxx___.xxxpredictiveHigh
46Libraryxxxxxx.xxxpredictiveMedium
47Libraryxxxxxxxx.xxx.xxxpredictiveHigh
48ArgumentxxxxxxxxxpredictiveMedium
49ArgumentxxxxxxxxpredictiveMedium
50ArgumentxxxxxxpredictiveLow
51Argumentxxx_xxxpredictiveLow
52ArgumentxxxpredictiveLow
53Argumentxxx_xxpredictiveLow
54ArgumentxxxpredictiveLow
55Argumentxxxx_xxpredictiveLow
56ArgumentxxxxxxxpredictiveLow
57ArgumentxxxxpredictiveLow
58ArgumentxxxxxxxxpredictiveMedium
59Argumentxxxxxxxxx->xxxxxxxxxpredictiveHigh
60ArgumentxxpredictiveLow
61Argumentxxxx_xxpredictiveLow
62ArgumentxxxpredictiveLow
63ArgumentxxpredictiveLow
64ArgumentxxxxxxxxxxxxxxxxpredictiveHigh
65Argumentxxxxxx/xxxxxx_xxxxxxpredictiveHigh
66ArgumentxxxxxxpredictiveLow
67ArgumentxxxpredictiveLow
68ArgumentxxxxpredictiveLow
69ArgumentxxxxxxxpredictiveLow
70ArgumentxxxpredictiveLow
71ArgumentxxxxxpredictiveLow
72ArgumentxxxpredictiveLow
73ArgumentxxxxxxpredictiveLow
74ArgumentxxxxxxxxpredictiveMedium
75ArgumentxxxxxxxxpredictiveMedium
76Argumentxxxxxxxx/xxxxpredictiveHigh
77Argumentxxxxxxxx:xxxxxxxxpredictiveHigh
78Input Valuexxx[…]predictiveMedium
79Input Valuexxxxxxxxx:xxxxxxxxpredictiveHigh
80Network PortxxxpredictiveLow

References (3)

The following list contains external sources which discuss the actor and the associated activities:

PreviousOverviewNext

Might our Artificial Intelligence support you?

Check our Alexa App!